Why Defense In Depth Must Include Secure Messaging

According to a recent Accenture report, federal, state and local government agencies experience over 50 times more cyber incidents than any private-sector industry. Lured by the opportunity to disrupt or devastate mission-critical services, operations and systems, cyber adversaries are rarely deterred by defenses of public sector agencies — especially since those agencies have a reputation for being egregiously slow to embrace any sort of digital transformation.

It should come as no surprise, then, to learn that hackers and cyber criminals haven’t had to reinvent the wheel to successfully attack government agencies. Email phishing remains the primary threat vector with approximately 90 percent of attacks resulting from spear-phishing or business email spoofing that all begin with the click of a link or download of a malicious document. While agencies have invested significant time, resources and money into phishing awareness and training, employees and rules-based spam filters are no match for the sophistication of today’s bad actors and their phishing lures.

Text messaging in business communications

One of the ways both private- and public-sectors employees avoid the persistent threats from phishing emails is by simply reducing their reliance on email altogether and moving to alternative communication channels such as SMS text messaging. In fact, already 80 percent of workers report using SMS texts as part of doing business, while nearly 70 percent of workers think their organization should use text messaging to communicate with staff. Even if text messaging is not a sanctioned form of communication in the workplace, employees will still text.

Text messaging has emerged as a favorite business communications medium because of its speed and brevity. Whether employees have a corporate-issued mobile device or use their own phones as part of a bring-our-own-device policy, the perception is that SMS texting provides a quick and highly efficient way to communicate. As the workforce becomes increasingly mobile and email continues to struggle to reduce risk, there is little doubt that texts will eventually overtake email for communications requiring rapid responses.

SMS texts not immune to risk

Before public-sector agencies jump on the SMS text bandwagon, it’s important to understand that SMS texts are as vulnerable to phishing scams as email. Known as “smishing,” these attacks are all but identical to email phishing in that the goal is to trick message recipients into clicking a compromised link, sharing personal information or downloading a malware-filled attachment.

Smishing presents such a substantial threat to public-sector organizations because, unlike email, spam filters do not exist for SMS texts. In contrast, email gateways and filters actually do prevent many malicious messages from reaching an inbox.

Unfortunately, smishing is proving highly effective, as evidenced by news earlier this year that attacks increasing by over 300 percent. For example, a recent smishing campaign hoping to trick Czech device owners into downloading a malicious app containing a trojan horse, purported to be from the Czech Republic’s postal service. According to SC Magazine, it was designed to steal credit card information and commit other malicious activities. In total, mobile ransomware attacks, frequently delivered via smishing, are up 250 percent since January, according to InfoSecurity Magazine.

Secure messaging reduces the smishing threat

By deploying a secure messaging platform, government agencies can adapt to the preferences of today’s workers and embrace the benefits of text-based communications. With a secure messaging solution, only approved senders that have been granted access to an organizations’ platform can send messages, thereby eliminating the threat from outside senders entirely. Secure messaging can also prevent man-in-the-middle attacks, which can occur when unencrypted SMS texts are sent on an open network.

Additionally, with advanced secure messaging, the sender maintains complete control of the conversation, the data and its use at all times, preventing unintentional sharing, data theft and propagation of information. Further, unlike native SMS text, secure messaging removes texts from sender and recipient devices and ensures all texts are captured and archived to the agency’s repository of record for compliance purposes .

Many public-sector organizations are spending millions annually on their cybersecurity defenses. From endpoint and network to website and cloud, the defense-in-depth strategy now includes a variety of tools in the stack. So long as phishing remains the primary attack vector, organizations must allocate funds to specifically combat this threat. Adding secure messaging technology accomplishes this, and more.

(Article originally published in GSN on December 8, 2017 by Dr. Galina Datskovsky)